Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
r1der
Advisor
Jump to solution

Filter out logs for "First packet isn't SYN"?

Hi All,

Is there a way to filter out logs for websites that have a drop for "First packet isn't SYN"?

I'm trying to find whether a website was blocked due to the firewall, and sort out the logs by username/not action:accept, but the "First Packet isn't SYN" logs are burying the logs I want to see.

 

Hardware: 6000 series
Smb: Smart-1 410 
Version: R81.10 take 79

Thanks!

 

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend

Sorry, apologies mate, I dont have access to the dashboard now, but I recall doing similar filter before and you can do something like this -> NOT "First packet isnt SYN" or if you look at any logs containing that message, find the column containing those words and then right click on it and select the filter, that works as well.

View solution in original post

(1)
7 Replies
the_rock
Legend
Legend

Sorry, apologies mate, I dont have access to the dashboard now, but I recall doing similar filter before and you can do something like this -> NOT "First packet isnt SYN" or if you look at any logs containing that message, find the column containing those words and then right click on it and select the filter, that works as well.

(1)
r1der
Advisor

Thanks @the_rock, you rock! 

I thought I tried it that way (123.456.789 and NOT "First packet isn't SYN") but maybe I had something off. That works.

the_rock
Legend
Legend

Glad it helped mate! By the way, I just like to think Im like REAL Rock (Dwayne Johnson), but in reality, compared to him, Im more Mr Pebble ; - )

Cheers.

G_W_Albrecht
Legend
Legend

I would try to get rid of the First packet isn't SYN messages first, does not look healthy at all !

CCSE CCTE CCSM SMB Specialist
r1der
Advisor

@G_W_Albrecht Thanks, I'm really confused about the First packet isn't SYN errors. I've read so much about it; I don't know which to believe anymore. 
I even opened a case with support previously about it, and they told me its regular to see those. Some threads here even say its normal. Is there a way you suggest I can get rid of them? I wouldn't even know how to get a hold of some of the web developers for the sites that are showing these "blocks" for First packet isn't SYN.

Note: I don't have https inspection checked yet.

 

0 Kudos
the_rock
Legend
Legend

Man, thats tricky one...whoever says those messages are normal, I would not say they are right, BUT, they are not wrong either. It really depends the situation...you will see those messages ANY TIME when connection is out of order. So as we all know, you got 3-way handshake, SYN <-> SYN-ACK<-> ACK. So, at the end of the day, message clearly tells you thats not happening, the hardest part is figuring out WHY NOT.

G_W_Albrecht
Legend
Legend

Usually, this is caused by asymmetrical routing - e.g. same connection packets arriving from different IFs.

CCSE CCTE CCSM SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events